Accepting request 903070 from home:lnussel:usrmove

- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff) - Backport patch to not install /usr/etc/securetty (boo#1033626) ie no distro defaults and don't complain about it missing (pam_securetty-don-t-complain-about-missing-config.patch) - add debug bcond to be able to build pam with debug output easily - add macros file to allow other packages to stop hardcoding directory names. Compatible with Fedora. - Remove usrmerged conditional as it's now the default OBS-URL: https://build.opensuse.org/request/show/903070 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=241
2021-07-09 12:12:20 +00:00 · 2021-07-09 12:12:20 +00:00 · 089ed3e485
commit 089ed3e485
parent dd0389449b
8 changed files with 192 additions and 200 deletions
--- a/macros.pam
+++ b/macros.pam
@ -0,0 +1,7 @@
+%_pam_libdir     %{_libdir}
+%_pam_moduledir  %{_libdir}/security
+%_pam_secconfdir %{_sysconfdir}/security
+%_pam_confdir    %{_sysconfdir}/pam.d
+%_pam_vendordir  %{_distconfdir}/pam.d
+# legacy, to be retired
+%_pamdir         %{_pam_moduledir}
--- a/pam-usrmerge.diff
+++ b/pam-usrmerge.diff
@ -1,16 +0,0 @@
-Index: Linux-PAM-1.4.0/libpam/pam_handlers.c
-===================================================================
--- Linux-PAM-1.4.0.orig/libpam/pam_handlers.c
-+++ Linux-PAM-1.4.0/libpam/pam_handlers.c
-@@ -801,6 +801,11 @@ int _pam_add_handler(pam_handle_t *pamh
- 	} else if (asprintf(&mod_full_path, "%s%s",
- 			     DEFAULT_MODULE_PATH, mod_path) >= 0) {
- 	    mod = _pam_load_module(pamh, mod_full_path, handler_type);
-+	    /* for usrmerge transition, the the path in / also */
-+	    if (mod == NULL && !strncmp(DEFAULT_MODULE_PATH, "/usr/", 5) &&
-+		    access(mod_full_path+4, F_OK)) {
-+		    mod = _pam_load_module(pamh, mod_full_path+4, handler_type);
-+	    }
- 	    _pam_drop(mod_full_path);
- 	} else {
- 	    pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
--- a/pam.changes
+++ b/pam.changes
@ -3,6 +3,17 @@ Fri Jun 25 08:07:04 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

 - Create /run/motd.d

+-------------------------------------------------------------------
+Wed Jun  9 14:01:19 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff)
+- Backport patch to not install /usr/etc/securetty (boo#1033626) ie
+  no distro defaults and don't complain about it missing
+  (pam_securetty-don-t-complain-about-missing-config.patch)
+- add debug bcond to be able to build pam with debug output easily
+- add macros file to allow other packages to stop hardcoding
+  directory names. Compatible with Fedora.
+
 -------------------------------------------------------------------
 Mon May 10 14:22:01 UTC 2021 - Josef Möllers <josef.moellers@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -15,19 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

-
-%if !0%{?usrmerged}
-%define libdir /%{_lib}
-%define sbindir /sbin
-%define pamdir /%{_lib}/security
-%else
-%define libdir %{_libdir}
-%define sbindir %{_sbindir}
-# moving this to /usr needs fixing
-# several packages short of
-# https://github.com/linux-pam/linux-pam/issues/256
-%define pamdir %{_libdir}/security
-%endif
+%bcond_with debug

 #
 %define enable_selinux 1
@ -38,6 +26,9 @@
  %define _distconfdir %{_sysconfdir}
  %define config_noreplace 1
 %endif
+#
+%{load:%{_sourcedir}/macros.pam}
+#
 Name:           pam
 #
 Version:        1.5.1
@ -48,12 +39,12 @@ Group:          System/Libraries
 URL:            http://www.linux-pam.org/
 Source:         Linux-PAM-%{version}.tar.xz
 Source1:        Linux-PAM-%{version}-docs.tar.xz
+Source2:        macros.pam
 Source3:        other.pamd
 Source4:        common-auth.pamd
 Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
-Source8:        securetty
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
@ -68,15 +59,14 @@ Patch8:         pam-bsc1177858-dont-free-environment-string.patch
 Patch9:         pam-pam_cracklib-add-usersubstr.patch
 Patch10:        pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
 Patch11:        bsc1184358-prevent-LOCAL-from-being-resolved.patch
+# https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
+Patch100:       pam_securetty-don-t-complain-about-missing-config.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
 BuildRequires:  libtool
 BuildRequires:  xz
-# this is only needed in the transition phase to make sure modules
-# are also loaded from /lib/security as fallback
-Patch99:         pam-usrmerge.diff
 Requires(post): permissions
 # All login.defs variables require support from shadow side.
 # Upgrade this symbol version only if new variables appear!
@ -181,25 +171,25 @@ cp -a %{SOURCE12} .
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
-%if 0%{?usrmerged}
-%patch99 -p1
-%endif
+%patch100 -p1

 %build
 bash ./pam-login_defs-check.sh
-export CFLAGS="%{optflags} -DNDEBUG"
+export CFLAGS="%{optflags}"
+%if !%{with debug}
+CFLAGS="$CFLAGS -DNDEBUG"
+%endif
 %configure \
 	--includedir=%{_includedir}/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
-%if !0%{?usrmerged}
-	--sbindir=/sbin \
-	--libdir=/%{_lib} \
-%endif
-	--enable-isadir=../..%{pamdir} \
-	--enable-securedir=%{pamdir} \
+	--enable-isadir=../..%{_pam_moduledir} \
+	--enable-securedir=%{_pam_moduledir} \
 	--enable-vendordir=%{_distconfdir} \
+%if %{with debug}
+	--enable-debug \
+%endif
 	--enable-tally2 --enable-cracklib
 make %{?_smp_mflags}
 gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
@ -208,46 +198,31 @@ gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags}
 %make_build check

 %install
-mkdir -p %{buildroot}%{_sysconfdir}/pam.d
-mkdir -p %{buildroot}%{_distconfdir}/pam.d
+mkdir -p %{buildroot}%{_pam_confdir}
+mkdir -p %{buildroot}%{_pam_vendordir}
 mkdir -p %{buildroot}%{_includedir}/security
-mkdir -p %{buildroot}%{pamdir}
+mkdir -p %{buildroot}%{_pam_moduledir}
 mkdir -p %{buildroot}/sbin
 mkdir -p -m 755 %{buildroot}%{_libdir}
 %make_install
 /sbin/ldconfig -n %{buildroot}%{libdir}
 # Install documentation
 %make_install -C doc
-# install securetty
-install -m 644 %{SOURCE8} %{buildroot}%{_distconfdir}
-%ifarch s390 s390x
-for i in ttyS0 ttyS1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 sclp_line0 ttysclp0; do
-	echo "$i" >>%{buildroot}/%{_distconfdir}/securetty
-done
-%endif
 # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d %{buildroot}%{_sysconfdir}/security/namespace.d
+install -d %{buildroot}%{_pam_secconfdir}/namespace.d
 # install other.pamd and common-*.pamd
-install -m 644 %{SOURCE3} %{buildroot}%{_distconfdir}/pam.d/other
-install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/common-auth
-install -m 644 %{SOURCE5} %{buildroot}%{_distconfdir}/pam.d/common-account
-install -m 644 %{SOURCE6} %{buildroot}%{_distconfdir}/pam.d/common-password
-install -m 644 %{SOURCE7} %{buildroot}%{_distconfdir}/pam.d/common-session
-%if !0%{?usrmerged}
-rm %{buildroot}/%{_lib}/libpam.so
-ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so
-rm %{buildroot}/%{_lib}/libpamc.so
-ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so
-rm %{buildroot}/%{_lib}/libpam_misc.so
-ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so
-%endif
+install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
+install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
+install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
+install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
+install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
 mkdir -p %{buildroot}%{_prefix}/lib/motd.d
 #
 # Remove crap
 #
 find %{buildroot} -type f -name "*.la" -delete -print
 for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
-  ln -f %{buildroot}%{pamdir}/pam_unix.so %{buildroot}%{pamdir}/$x.so
+  ln -f %{buildroot}%{_pam_moduledir}/pam_unix.so %{buildroot}%{_pam_moduledir}/$x.so
 done
 #
 # Install READMEs of PAM modules
@ -260,24 +235,23 @@ for i in pam_*/README; do
 done
 popd
 # Install unix2_chkpwd
-install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{sbindir}
+install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
 install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # rpm macros
-mkdir -p %{buildroot}/usr/lib/rpm/macros.d
-echo "%%_pamdir %pamdir" > %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.pam
+install -D -m 644 %{SOURCE2} %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.pam
 # /run/motd.d
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/motd.conf
 # Create filelist with translations
 %find_lang Linux-PAM

 %verifyscript
-%verify_permissions -e %{sbindir}/unix_chkpwd
-%verify_permissions -e %{sbindir}/unix2_chkpwd
+%verify_permissions -e %{_sbindir}/unix_chkpwd
+%verify_permissions -e %{_sbindir}/unix2_chkpwd

 %post
 /sbin/ldconfig
-%set_permissions %{sbindir}/unix_chkpwd
-%set_permissions %{sbindir}/unix2_chkpwd
+%set_permissions %{_sbindir}/unix_chkpwd
+%set_permissions %{_sbindir}/unix2_chkpwd
 %tmpfiles_create %{_tmpfilesdir}/motd.conf

 %postun -p /sbin/ldconfig
@ -294,34 +268,32 @@ done

 %files -f Linux-PAM.lang
 %exclude %{_defaultdocdir}/pam
-%dir %{_sysconfdir}/pam.d
-%dir %{_distconfdir}/pam.d
-%dir %{_sysconfdir}/security
-%dir %{_sysconfdir}/security/limits.d
+%dir %{_pam_confdir}
+%dir %{_pam_vendordir}
+%dir %{_pam_secconfdir}
+%dir %{_pam_secconfdir}/limits.d
 %dir %{_prefix}/lib/motd.d
 %ghost %dir %{_rundir}/motd.d
 %if %{defined config_noreplace}
-%config(noreplace) %{_sysconfdir}/pam.d/other
-%config(noreplace) %{_sysconfdir}/pam.d/common-*
-%config(noreplace) %{_sysconfdir}/securetty
+%config(noreplace) %{_pam_confdir}/other
+%config(noreplace) %{_pam_confdir}/common-*
 %else
-%{_distconfdir}/pam.d/other
-%{_distconfdir}/pam.d/common-*
-%{_distconfdir}/securetty
+%{_pam_vendordir}/other
+%{_pam_vendordir}/common-*
 %endif
 %config(noreplace) %{_sysconfdir}/environment
-%config(noreplace) %{_sysconfdir}/security/access.conf
-%config(noreplace) %{_sysconfdir}/security/group.conf
-%config(noreplace) %{_sysconfdir}/security/faillock.conf
-%config(noreplace) %{_sysconfdir}/security/limits.conf
-%config(noreplace) %{_sysconfdir}/security/pam_env.conf
+%config(noreplace) %{_pam_secconfdir}/access.conf
+%config(noreplace) %{_pam_secconfdir}/group.conf
+%config(noreplace) %{_pam_secconfdir}/faillock.conf
+%config(noreplace) %{_pam_secconfdir}/limits.conf
+%config(noreplace) %{_pam_secconfdir}/pam_env.conf
 %if %{enable_selinux}
-%config(noreplace) %{_sysconfdir}/security/sepermit.conf
+%config(noreplace) %{_pam_secconfdir}/sepermit.conf
 %endif
-%config(noreplace) %{_sysconfdir}/security/time.conf
-%config(noreplace) %{_sysconfdir}/security/namespace.conf
-%config(noreplace) %{_sysconfdir}/security/namespace.init
-%dir %{_sysconfdir}/security/namespace.d
+%config(noreplace) %{_pam_secconfdir}/time.conf
+%config(noreplace) %{_pam_secconfdir}/namespace.conf
+%config(noreplace) %{_pam_secconfdir}/namespace.init
+%dir %{_pam_secconfdir}/namespace.d
 %doc NEWS
 %license COPYING
 %{_mandir}/man5/environment.5%{?ext_man}
@ -380,88 +352,88 @@ done
 %{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
-%{libdir}/libpam.so.0
-%{libdir}/libpam.so.%{libpam_so_version}
-%{libdir}/libpamc.so.0
-%{libdir}/libpamc.so.%{libpamc_so_version}
-%{libdir}/libpam_misc.so.0
-%{libdir}/libpam_misc.so.%{libpam_misc_so_version}
-%dir %{pamdir}
-%{pamdir}/pam_access.so
-%{pamdir}/pam_debug.so
-%{pamdir}/pam_deny.so
-%{pamdir}/pam_echo.so
-%{pamdir}/pam_env.so
-%{pamdir}/pam_exec.so
-%{pamdir}/pam_faildelay.so
-%{pamdir}/pam_faillock.so
-%{pamdir}/pam_filter.so
-%dir %{pamdir}/pam_filter
-%{pamdir}//pam_filter/upperLOWER
-%{pamdir}/pam_ftp.so
-%{pamdir}/pam_group.so
-%{pamdir}/pam_issue.so
-%{pamdir}/pam_keyinit.so
-%{pamdir}/pam_lastlog.so
-%{pamdir}/pam_limits.so
-%{pamdir}/pam_listfile.so
-%{pamdir}/pam_localuser.so
-%{pamdir}/pam_loginuid.so
-%{pamdir}/pam_mail.so
-%{pamdir}/pam_mkhomedir.so
-%{pamdir}/pam_motd.so
-%{pamdir}/pam_namespace.so
-%{pamdir}/pam_nologin.so
-%{pamdir}/pam_permit.so
-%{pamdir}/pam_pwhistory.so
-%{pamdir}/pam_rhosts.so
-%{pamdir}/pam_rootok.so
-%{pamdir}/pam_securetty.so
+%{_libdir}/libpam.so.0
+%{_libdir}/libpam.so.%{libpam_so_version}
+%{_libdir}/libpamc.so.0
+%{_libdir}/libpamc.so.%{libpamc_so_version}
+%{_libdir}/libpam_misc.so.0
+%{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
+%dir %{_pam_moduledir}
+%{_pam_moduledir}/pam_access.so
+%{_pam_moduledir}/pam_debug.so
+%{_pam_moduledir}/pam_deny.so
+%{_pam_moduledir}/pam_echo.so
+%{_pam_moduledir}/pam_env.so
+%{_pam_moduledir}/pam_exec.so
+%{_pam_moduledir}/pam_faildelay.so
+%{_pam_moduledir}/pam_faillock.so
+%{_pam_moduledir}/pam_filter.so
+%dir %{_pam_moduledir}/pam_filter
+%{_pam_moduledir}//pam_filter/upperLOWER
+%{_pam_moduledir}/pam_ftp.so
+%{_pam_moduledir}/pam_group.so
+%{_pam_moduledir}/pam_issue.so
+%{_pam_moduledir}/pam_keyinit.so
+%{_pam_moduledir}/pam_lastlog.so
+%{_pam_moduledir}/pam_limits.so
+%{_pam_moduledir}/pam_listfile.so
+%{_pam_moduledir}/pam_localuser.so
+%{_pam_moduledir}/pam_loginuid.so
+%{_pam_moduledir}/pam_mail.so
+%{_pam_moduledir}/pam_mkhomedir.so
+%{_pam_moduledir}/pam_motd.so
+%{_pam_moduledir}/pam_namespace.so
+%{_pam_moduledir}/pam_nologin.so
+%{_pam_moduledir}/pam_permit.so
+%{_pam_moduledir}/pam_pwhistory.so
+%{_pam_moduledir}/pam_rhosts.so
+%{_pam_moduledir}/pam_rootok.so
+%{_pam_moduledir}/pam_securetty.so
 %if %{enable_selinux}
-%{pamdir}/pam_selinux.so
-%{pamdir}/pam_sepermit.so
+%{_pam_moduledir}/pam_selinux.so
+%{_pam_moduledir}/pam_sepermit.so
 %endif
-%{pamdir}/pam_setquota.so
-%{pamdir}/pam_shells.so
-%{pamdir}/pam_stress.so
-%{pamdir}/pam_succeed_if.so
-%{pamdir}/pam_time.so
-%{pamdir}/pam_timestamp.so
-%{pamdir}/pam_tty_audit.so
-%{pamdir}/pam_umask.so
-%{pamdir}/pam_usertype.so
-%{pamdir}/pam_warn.so
-%{pamdir}/pam_wheel.so
-%{pamdir}/pam_xauth.so
-%{sbindir}/faillock
-%{sbindir}/mkhomedir_helper
-%{sbindir}/pam_namespace_helper
-%{sbindir}/pam_timestamp_check
-%{sbindir}/pwhistory_helper
-%verify(not mode) %attr(4755,root,shadow) %{sbindir}/unix_chkpwd
-%verify(not mode) %attr(4755,root,shadow) %{sbindir}/unix2_chkpwd
-%attr(0700,root,root) %{sbindir}/unix_update
+%{_pam_moduledir}/pam_setquota.so
+%{_pam_moduledir}/pam_shells.so
+%{_pam_moduledir}/pam_stress.so
+%{_pam_moduledir}/pam_succeed_if.so
+%{_pam_moduledir}/pam_time.so
+%{_pam_moduledir}/pam_timestamp.so
+%{_pam_moduledir}/pam_tty_audit.so
+%{_pam_moduledir}/pam_umask.so
+%{_pam_moduledir}/pam_usertype.so
+%{_pam_moduledir}/pam_warn.so
+%{_pam_moduledir}/pam_wheel.so
+%{_pam_moduledir}/pam_xauth.so
+%{_sbindir}/faillock
+%{_sbindir}/mkhomedir_helper
+%{_sbindir}/pam_namespace_helper
+%{_sbindir}/pam_timestamp_check
+%{_sbindir}/pwhistory_helper
+%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
+%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
+%attr(0700,root,root) %{_sbindir}/unix_update
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/motd.conf

 %files -n pam_unix
 %defattr(-,root,root,755)
-%{pamdir}/pam_unix.so
-%{pamdir}/pam_unix_acct.so
-%{pamdir}/pam_unix_auth.so
-%{pamdir}/pam_unix_passwd.so
-%{pamdir}/pam_unix_session.so
+%{_pam_moduledir}/pam_unix.so
+%{_pam_moduledir}/pam_unix_acct.so
+%{_pam_moduledir}/pam_unix_auth.so
+%{_pam_moduledir}/pam_unix_passwd.so
+%{_pam_moduledir}/pam_unix_session.so

 %files extra
 %defattr(-,root,root,755)
-%{pamdir}/pam_userdb.so
+%{_pam_moduledir}/pam_userdb.so
 %{_mandir}/man8/pam_userdb.8%{?ext_man}

 %files deprecated
 %defattr(-,root,root,755)
-%{pamdir}/pam_cracklib.so
-%{pamdir}/pam_tally2.so
-%{sbindir}/pam_tally2
+%{_pam_moduledir}/pam_cracklib.so
+%{_pam_moduledir}/pam_tally2.so
+%{_sbindir}/pam_tally2

 %files doc
 %defattr(644,root,root,755)
--- a/pam_securetty-don-t-complain-about-missing-config.patch
+++ b/pam_securetty-don-t-complain-about-missing-config.patch
@ -0,0 +1,40 @@
+From e842a5fc075002f46672ebcd8e896624f1ec8068 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Tue, 26 Jan 2021 13:07:20 +0100
+Subject: [PATCH] pam_securetty: don't complain about missing config
+
+Not shipping a config file should be perfectly valid for distros while
+still having eg login pre-configured to honor securetty when present.
+PAM itself doesn't ship any template either. So avoid spamming the log
+file if /etc/securetty wasn't found.
+---
+ modules/pam_securetty/pam_securetty.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
+index b4d71751..47a5cd9f 100644
+--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
+@@ -111,7 +111,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
+ #ifdef VENDORDIR
+       if (errno == ENOENT) {
+ 	if (stat(SECURETTY2_FILE, &ttyfileinfo)) {
+-	  pam_syslog(pamh, LOG_NOTICE,
+	  if (ctrl & PAM_DEBUG_ARG)
+	    pam_syslog(pamh, LOG_DEBUG,
+ 		     "Couldn't open %s: %m", SECURETTY2_FILE);
+ 	  return PAM_SUCCESS; /* for compatibility with old securetty handling,
+ 				 this needs to succeed.  But we still log the
+@@ -120,7 +121,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
+ 	securettyfile = SECURETTY2_FILE;
+       } else {
+ #endif
+-	pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+	if (ctrl & PAM_DEBUG_ARG)
+	  pam_syslog(pamh, LOG_DEBUG, "Couldn't open %s: %m", SECURETTY_FILE);
+ 	return PAM_SUCCESS; /* for compatibility with old securetty handling,
+ 			       this needs to succeed.  But we still log the
+ 			       error. */
+-- 
+2.26.2
+
--- a/pam_unix-nis.changes
+++ b/pam_unix-nis.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jun  9 14:02:02 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- Remove usrmerged conditional as it's now the default
+
 -------------------------------------------------------------------
 Thu Feb 18 22:16:58 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>

--- a/pam_unix-nis.spec
+++ b/pam_unix-nis.spec
@ -16,19 +16,6 @@
 #


-%if !0%{?usrmerged}
-%define libdir /%{_lib}
-%define sbindir /sbin
-%define pamdir /%{_lib}/security
-%else
-%define libdir %{_libdir}
-%define sbindir %{_sbindir}
-# moving this to /usr needs fixing
-# several packages short of
-# https://github.com/linux-pam/linux-pam/issues/256
-%define pamdir %{_libdir}/security
-%endif
-
 #
 %define enable_selinux 1
 %define libpam_so_version 0.85.1
@ -78,29 +65,25 @@ export CFLAGS="%{optflags} -DNDEBUG"
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
-%if !0%{?usrmerged}
-	--sbindir=/sbin \
-	--libdir=/%{_lib} \
-%endif
-	--enable-isadir=../..%{pamdir} \
-	--enable-securedir=%{pamdir} \
+	--enable-isadir=../..%{_pam_moduledir} \
+	--enable-securedir=%{_pam_moduledir} \
 	--enable-vendordir=%{_distconfdir} \
 	--enable-tally2 --enable-cracklib
 make -C modules/pam_unix

 %install
-mkdir -p %{buildroot}%{pamdir}
-install -m 755 modules/pam_unix/.libs/pam_unix.so %{buildroot}%{pamdir}/
+mkdir -p %{buildroot}%{_pam_moduledir}
+install -m 755 modules/pam_unix/.libs/pam_unix.so %{buildroot}%{_pam_moduledir}/
 for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
-  ln -f %{buildroot}%{pamdir}/pam_unix.so %{buildroot}%{pamdir}/$x.so
+  ln -f %{buildroot}%{_pam_moduledir}/pam_unix.so %{buildroot}%{_pam_moduledir}/$x.so
 done

 %files
 %license COPYING
-%{pamdir}/pam_unix.so
-%{pamdir}/pam_unix_acct.so
-%{pamdir}/pam_unix_auth.so
-%{pamdir}/pam_unix_passwd.so
-%{pamdir}/pam_unix_session.so
+%{_pam_moduledir}/pam_unix.so
+%{_pam_moduledir}/pam_unix_acct.so
+%{_pam_moduledir}/pam_unix_auth.so
+%{_pam_moduledir}/pam_unix_passwd.so
+%{_pam_moduledir}/pam_unix_session.so

 %changelog
--- a/10
+++ b/10
@ -1,10 +0,0 @@
-# 
-# This file contains the device names of tty lines (one per line,
-# without leading /dev/) on which root is allowed to login.
-#
-tty1
-tty2
-tty3
-tty4
-tty5
-tty6